AGIDAT – Datenschutz | Informationssicherheit

Records of Processing Activities

RoPA per Art. 30 GDPR — complete, current, audit-ready.

What is a Record of Processing Activities?

Art. 30 GDPR requires every organization (with very limited exceptions) to maintain a written Record of Processing Activities — a structured register of all personal data processing operations carried out by or on behalf of the organization. It must be made available to the supervisory authority on request.

Required content per Art. 30 GDPR

Each entry in the RoPA must document:

  • Name and contact details of the controller (and DPO where applicable)
  • Purposes of the processing
  • Categories of data subjects and personal data
  • Categories of recipients
  • Transfers to third countries (and safeguards applied)
  • Planned retention periods
  • Description of Technical and Organizational Measures (TOMs)

How we build your RoPA

We conduct structured interviews with your departments to capture all processing activities — from HR and marketing to IT and customer service. The result is a complete, well-structured RoPA in your preferred format (Word, Excel, or a compliance tool). We also keep it updated as your processing landscape changes.